Threaded View

zmcreatecert usage of keytool

We recently got ZCS (Open Source Edition) installed and working for non-profit use, and we have to say that we are very impressed with it thus far. It is a huge improvement over our current installation. However, we ran into a problem while creating our self-signed SSL certificate and would like to know what the "official" way to get this working is.

Essentially, our issue arise from the need for virtual hosting. We handle email for several domains, and all of them require https:// access, as well as imap-ssl and smtp-ssl. So this time around, we thought that we would insert the needed changes to zmssl.conf and recreate our certs using the method outlined in the wiki. However, our SubjectAltName extensions were not getting into the final certificates, and we spent a lot of time figuring out why. Essentially, zmcreatecert uses Java's keytool (not openssl) to generate certificate requests, and keytool doesn't use zmssl.cnf, meaning that any/all SSL extensions we specified in zmssl.cnf will never get included in any server certs.

However, we worked around the problem for now by adding the extensions at the signing stage in zmcreatecert, adding the following arguments to the second call of openssl in signCertReq():

-extensions v3_req -extfile ${BASE}/zmssl.cnf

This causes openssl to append the extensions (the same ones it did to the smtpd certificate request) to the signed Tomcat certificate.

So, we have two questions:

(1) Why does Zimbra use different certs for smtpd vs. httpd in a self-signed installation? The instructions posted on the Wiki actually use one certificate for both smtpd and Tomcat if using a commercial cert. Is there any reason why we could not do the same for a self-signed installation?

(2) How can we get the same end result without having to make local changes to zmcreatecert? We would rather not have to play the local patch game, particularly when upgrading to future versions of the ZCS.